1 /* 2 * Copyright (C) 2015 Red Hat, Inc. 3 * 4 * This library is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU Lesser General Public 6 * License as published by the Free Software Foundation; either 7 * version 2.1 of the License, or (at your option) any later version. 8 * 9 * This library is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * Lesser General Public License for more details. 13 * 14 * You should have received a copy of the GNU Lesser General Public 15 * License along with this library. If not, see 16 * <http://www.gnu.org/licenses/>. 17 * 18 * Author: Daniel P. Berrange <berrange@redhat.com> 19 */ 20 21 #ifndef TESTS_CRYPTO_TLS_X509_HELPERS_H 22 #define TESTS_CRYPTO_TLS_X509_HELPERS_H 23 24 #include <gnutls/gnutls.h> 25 #include <gnutls/x509.h> 26 #include <libtasn1.h> 27 28 29 #define QCRYPTO_TLS_TEST_CLIENT_NAME "ACME QEMU Client" 30 #define QCRYPTO_TLS_TEST_CLIENT_HOSTILE_NAME "ACME Hostile Client" 31 32 /* 33 * This contains parameter about how to generate 34 * certificates. 35 */ 36 typedef struct QCryptoTLSTestCertReq QCryptoTLSTestCertReq; 37 struct QCryptoTLSTestCertReq { 38 gnutls_x509_crt_t crt; 39 40 const char *filename; 41 42 /* Identifying information */ 43 const char *country; 44 const char *cn; 45 const char *altname1; 46 const char *altname2; 47 const char *ipaddr1; 48 const char *ipaddr2; 49 50 /* Basic constraints */ 51 bool basicConstraintsEnable; 52 bool basicConstraintsCritical; 53 bool basicConstraintsIsCA; 54 55 /* Key usage */ 56 bool keyUsageEnable; 57 bool keyUsageCritical; 58 int keyUsageValue; 59 60 /* Key purpose (aka Extended key usage) */ 61 bool keyPurposeEnable; 62 bool keyPurposeCritical; 63 const char *keyPurposeOID1; 64 const char *keyPurposeOID2; 65 66 /* zero for current time, or non-zero for hours from now */ 67 int start_offset; 68 /* zero for 24 hours from now, or non-zero for hours from now */ 69 int expire_offset; 70 }; 71 72 void test_tls_generate_cert(QCryptoTLSTestCertReq *req, 73 gnutls_x509_crt_t ca); 74 void test_tls_write_cert_chain(const char *filename, 75 gnutls_x509_crt_t *certs, 76 size_t ncerts); 77 void test_tls_discard_cert(QCryptoTLSTestCertReq *req); 78 79 void test_tls_init(const char *keyfile); 80 void test_tls_cleanup(const char *keyfile); 81 82 # define TLS_CERT_REQ(varname, cavarname, \ 83 country, commonname, \ 84 altname1, altname2, \ 85 ipaddr1, ipaddr2, \ 86 basicconsenable, basicconscritical, basicconsca, \ 87 keyusageenable, keyusagecritical, keyusagevalue, \ 88 keypurposeenable, keypurposecritical, \ 89 keypurposeoid1, keypurposeoid2, \ 90 startoffset, endoffset) \ 91 static QCryptoTLSTestCertReq varname = { \ 92 NULL, WORKDIR #varname "-ctx.pem", \ 93 country, commonname, altname1, altname2, \ 94 ipaddr1, ipaddr2, \ 95 basicconsenable, basicconscritical, basicconsca, \ 96 keyusageenable, keyusagecritical, keyusagevalue, \ 97 keypurposeenable, keypurposecritical, \ 98 keypurposeoid1, keypurposeoid2, \ 99 startoffset, endoffset \ 100 }; \ 101 test_tls_generate_cert(&varname, cavarname.crt) 102 103 # define TLS_ROOT_REQ(varname, \ 104 country, commonname, \ 105 altname1, altname2, \ 106 ipaddr1, ipaddr2, \ 107 basicconsenable, basicconscritical, basicconsca, \ 108 keyusageenable, keyusagecritical, keyusagevalue, \ 109 keypurposeenable, keypurposecritical, \ 110 keypurposeoid1, keypurposeoid2, \ 111 startoffset, endoffset) \ 112 static QCryptoTLSTestCertReq varname = { \ 113 NULL, WORKDIR #varname "-ctx.pem", \ 114 country, commonname, altname1, altname2, \ 115 ipaddr1, ipaddr2, \ 116 basicconsenable, basicconscritical, basicconsca, \ 117 keyusageenable, keyusagecritical, keyusagevalue, \ 118 keypurposeenable, keypurposecritical, \ 119 keypurposeoid1, keypurposeoid2, \ 120 startoffset, endoffset \ 121 }; \ 122 test_tls_generate_cert(&varname, NULL) 123 124 # define TLS_ROOT_REQ_SIMPLE(varname, fname) \ 125 QCryptoTLSTestCertReq varname = { \ 126 .filename = fname, \ 127 .cn = "qemu-CA", \ 128 .basicConstraintsEnable = true, \ 129 .basicConstraintsCritical = true, \ 130 .basicConstraintsIsCA = true, \ 131 .keyUsageEnable = true, \ 132 .keyUsageCritical = true, \ 133 .keyUsageValue = GNUTLS_KEY_KEY_CERT_SIGN, \ 134 }; \ 135 test_tls_generate_cert(&varname, NULL) 136 137 # define TLS_CERT_REQ_SIMPLE_CLIENT(varname, cavarname, cname, fname) \ 138 QCryptoTLSTestCertReq varname = { \ 139 .filename = fname, \ 140 .cn = cname, \ 141 .basicConstraintsEnable = true, \ 142 .basicConstraintsCritical = true, \ 143 .basicConstraintsIsCA = false, \ 144 .keyUsageEnable = true, \ 145 .keyUsageCritical = true, \ 146 .keyUsageValue = \ 147 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 148 .keyPurposeEnable = true, \ 149 .keyPurposeCritical = true, \ 150 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_CLIENT, \ 151 }; \ 152 test_tls_generate_cert(&varname, cavarname.crt) 153 154 # define TLS_CERT_REQ_SIMPLE_SERVER(varname, cavarname, fname, \ 155 hostname, ipaddr) \ 156 QCryptoTLSTestCertReq varname = { \ 157 .filename = fname, \ 158 .cn = hostname ? hostname : ipaddr, \ 159 .altname1 = hostname, \ 160 .ipaddr1 = ipaddr, \ 161 .basicConstraintsEnable = true, \ 162 .basicConstraintsCritical = true, \ 163 .basicConstraintsIsCA = false, \ 164 .keyUsageEnable = true, \ 165 .keyUsageCritical = true, \ 166 .keyUsageValue = \ 167 GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ 168 .keyPurposeEnable = true, \ 169 .keyPurposeCritical = true, \ 170 .keyPurposeOID1 = GNUTLS_KP_TLS_WWW_SERVER, \ 171 }; \ 172 test_tls_generate_cert(&varname, cavarname.crt) 173 174 extern const asn1_static_node pkix_asn1_tab[]; 175 176 #endif 177